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InTErnE COmmunICaTIOn In 



Our carelessness makes the job easy for 
the adversary. 


the internet was designed to withstand nuOhuacarelessness makes the job easy for 
attack, not to be secure from its own userihe adversary. 


• Never assume security, assume it's unseourtfdadequate protection is unavailable, don't 

• When security is needed, have trained IT * over the Internet. Evaluate other options an 
security people in your organization seek aM(f t0 9 et secure tools. 

implement proper tools. • If you have secure tools, actually use them. 

you don't know how, find out. Laziness is the 
People can easily send fake e-mails that appgeersary's best friend, 
to be from people you know/trust. 

• Don't let forwarded and repeatedly replied n 

• Always digitally sign messages. sages snowball. Eliminate the unnecessary da 

• Encourage everyone else to sign their mesiS adversary can't get the whole pictu 

in one e-mail. 

• In all cases (even with signed messages) person- 

alize an e-mail enough so that it's obviousa (fell 1 use cc t0 send e - malls t0 a " st of P e0 
person sent it unless you specifically want everyone to see 

everyone else's e-mail address. In all other ca 
Always verify suspicious messages send it to yourself (because everyone knows 

before acting. w ho you are already) and use BCC (blind 

carbon copy) instead. 

Even e-mails that are legit can be captured 
and read/modified in transit. 


Secure e-mails with digital encryption. 

Use file encryption or password protection 
if e-mail encryption isn't available. 
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BrOwSInG ThE i 



Clicking any link online tells the target 
Web site which site you just came from. 


Cookies make shopping carts and online Search engines track your search history and 
accounts work, but can be a risk in severaIstaHvsit in databases; this can reveal a lot of 

information about you and your job in aggregi 

• Delete cookies regularly or disable cookies 

through your browser. You can "whitelist" * Use generic information when possible 
cookies from sites you need/trust while still( e -9-> Z 'P codes instead of addresses), 
blocking all others. . Alternate search engines to improve your re: 

• Never use the "remember me" function otfWfeBrevent a single engine from getting the 

sites. This greatly increases your odds of picture. 

your account hijacked. . if y 0 u use related services, always log out b 

searching so they can't tie your results to you 

Companies want to know where you go onlig ecount (e _ g Log out of Ya hoo! Mail before 
and use a function called "Web bugs" or ■ v h i q m 
" beacons" to do it. they look like ordinary usmg Yano °- bearcn '- 
images and are activated simply by viewing a 

Web page or e-mail. Clicking any link online tells the target Web si 

which site you just came from, this can give 

• HTML bugs can only be blocked with speaWPy information you hadn't intended. 

tools (hopefully being handled by your IT . , 

. . • When clicking links in search results, ask if c 

epar men . 0 f fh e data (search terms) in your address ba 

• E-mail bugs can be completely blocked by g j ve data away. If so, copy and paste a result 
selecting "text-only" in your e-mail settings}^ to your address bar instead of clicking it. 
using an e-mail program that blocks images , 
from untrusted senders. 


When posting links on a Web site you contro 
ask if you want to broadcast to the linked site 
the fact that you linked to them. If not, print t 
links, but don't make them clickable so people 
have to cut and paste them instead. 
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imposter sites will often mimic a legitimate slitiefls for the HTTPS in the address bar to veri 
URL through a common misspelling or by u^Bt the transaction is secure—before enterim 
another extension-like dot-com instead ofd^ username passwordj or any oth er impor 
net. Get into the habit of typing Web site names r ,. ,, ... , ,. 

into a search engine instead of the addres s “g9l informatlon - If * s not there, ask yoursell 

if it's OK to broadcast openly and think twice 
'submit" button. 


• Many search engines pre-scan sites for before clicking the 
malicious code and will warn you when you 

click them. Be cautious of fake alerts that look like legiti¬ 

mate warnings or system messages, but are n 

• Many anti-virus products have "site advisor" 

functions that provide visual warning iconsfc&eternnine if the alert is real by closing all 
known bad sites. browser windows from the taskbar (don't click 

• Search engines correct spelling, making it9@^i r near a ' er *- itself ). 

likely you'll go to an unintended site. • If the alert remains, look to see if it mentior 

a Web site to visit or tool to download. If so, 

Password security is key! perform a Web search on the site or tool. If th 

.. .. . , t results show that the site/tool is bogus, ignore 

Never use the same password from site td site.. . . IT . 


Installation warnings are the last chance 

. , , . , , r , • Never use the same password from site tos.—.. . . , ._ . 

yOU have to prevent bad code from gettinffle owners of one site can easily try that name eran aS y0ur epar men o run 

, , L , virus and spyware scans on your machine 

and password at other popular sites and see if 


into your computer. 


it works. installation warnings are the last chance you 

• Never give any site any password for an^ ave to prevent bad code from getting into yc 
reason. Most social networking sites ask = om P utei ;; ^ e . y c , laim a " vide ° play f r up 
for e-mail passwords while others ask for 

banking and credit card passwords. No maitg^y no t 0 any "active-x" control or install wa 
how much they promise to protect and not j n g unless you are sure of who created it, wh; 
misuse the information, history shows others, and what it will do once installed, 
wise. The consequences of disregarding this 
rule can be severe. 
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POSTInG Onl 



Public visibility. 


Watch for metadata in files. 


• Most things posted online are visible to evelltycrosoft Office documents typically have a 

one online (good and bad alike). creator's name and organization in the file prc 

. Remember that even things posted "privaf^ 5 ' This can be shut off in the °P tions ' but 
often become public by accident or due to on b ^ default. 

site security. • Photos may also list names (if software was 

• Anything posted to your organization's w4B s lft^ ed w ' tb tbe camera ) ar, d can also includ 

that's not protected by password or PKI autfi£5- c00rdinates where the P hoto was taken - 
tication is publicly visible. Several other m^- oto editin 9 software must be used to view 
ods of protection are commonly attemptec^ nd remove EXIF metadata in photos. 


but can be bypassed easily (domain restrirtjon, 

...... . . Photos often reveal too much. 

robots.txt file, etc.). 


Buildings or natural features in the backgrou 
can give away location. 


Don't rely on third parties sites to keep 

It is hard and often impossible to " safe - . Ref]ective 5urfaces may show people name! 

information from the Web... * Third P art V sites ma V have been initiated @fh§r critical information. 

filtrated by adversaries putting your data at risk, , 

• Photos of small animals or objects taken on 

• Data centers used by these sites may be Pafi^iften provide palm and fingerprints to 

countries with weak data protection laws, the adversary. 


Third parties are often hacked or sell user 


data outright. 


it is hard and often impossible to remove infoi 
mation from the Web after it has been posted 
so be careful in the posting process before it's 
too late. 
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PraCTICE GOOd SySTEm 



Keep your computer secure. 


Dispose of media properly. 


• Lock your computer when walking away. • Data recovery is very sophisticated. Learn ar 

• Don't use a government laptop on your plP- llow y° ur organization's media destruction 
sonal Internet or at hotspots unless instruct^' c y - 

by your security officer that you may do so. Remember that nearly all devices have data 

. Don't leave laptops in hotels or cars unlest^ 96 ' Treat an y USB device < not i ust thumb 
unavoidable, but use a locking cable or hid^ r ' ves ^' fl°PPi es - CDs, phones, cameras, and 
them when you must. hard drives as a dis P osal risk - 


• Make sure your laptop has full disk encrypf^t% ice good password safety, 
installed before taking it out of secure spaces. 

_ ,. ,, .. . •. Don't e-mail or store any passwords unencry 

• Don t allow others to use your government . _ , t , .„ ; 

... . .. . . . . ed. Remember that a password to a classified 

computer without your direct oversight. t ^ , ,, , 

system must be handled as classified itself. 


Remember that a password 
system must be handled as 


to a classified ” ary of devi<:es - 


• Don't put passwords on sticky notes or note¬ 
pads unless you physically secure them. 
r/flcc/fioW //-c-A/^on’t connect any USB device, floppy disk, or 

C IdSSIlieu I Lbetf. to your computer un|ess it has been ca - re _Leam how to create hard to guess, but easy 
fully scanned beforehand. Even store-bougfi? member Passwords and change them often. 


products sometimes have viruses. 


• Disable auto-run and auto-play functionality to 
help limit the damage a media virus can do. 
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PrOTECT yOur POrTaBIE d 



Wireless allows adversaries to connect at Portable wireless (particularly RFiD in badges 
distances of up to a mile or more. can be used for individual identification, these 

devices must include strong authentication ar 
• Your movements can be tracked. encryption to deter these risks. 


• Stored or transmitted data can be stolen., copying at a distance thus invalidating their 

• Stored or transmitted data can be modifiedlor keyless entry systems and personal identit 

cation (such as with US passcards). 


Many portable devices (phones, laptops, eamjec-. movements 

es) include wireless capability, but not securiit^' 9 Y 


• Triggering cameras or even roadside bombs 

• Turn off wireless if it's not necessary. targeted for individuals. 

• If security is present, learn and activate all 

security features appropriately. Portable devices are easily lost or stolen. 


• Remember commercial security is weak artfways encrypt important data. 

shouldn't be relied on in most cases. _. . . , , . . . 

.. .... , , . • Put strong lock-codes and passwords on you 

Many portable devices (phones, laptops When in doubt, pull the battery (where abi^vices to prevent tampering. 
earpieces) include wireless capability, bu? nd P utthe device in an RF shielded contajr^ e r fep them secure and out of adversary hanc 

• Always first ask if portable devices are neces¬ 
sary for your mission. They're no risk if they're 
not used. 


not security. 






Hit is vital that we all understand that even informs 
is unClaSSIflEd is still important and in need of pi 
protection.... The information we put out there is i 
and forever and it is incumbent upon all of us to strc 
that before putting anything out hype public da 


—LTG Keith B . Alexander, USA 
Director, National Security Agency 
Executive Agent for Operations Security 


Think. Protect. <jl 
www.ioss. 



